Clothing giant FatFace had a data breach, but doesn’t want you to tell anyone about it.
The company sent an email to customers this week disclosing that it first detected a breach on January 17. A hacker made off with the customer’s name, email and postal address, and the last four-digits of their credit card. “Full payment card information was not compromised,” the notice reiterated.
But despite going out to thousands of customers, the email said to “keep this email and the information included within it strictly private and confidential,” an entirely unenforceable request.
Under the U.K. data protection laws, a company must disclose a data breach within 72 hours of becoming aware of an incident, but there are no legal requirements on the customer to keep the information confidential. It didn’t take long for the company to face flack from the public. The company didn’t have much to say in response, asking instead to “DM us with any questions.”
In a statement sent via crisis communications firm Kekst CNC, FatFace said: “The notification email was marked private and confidential due to the nature of the communication, which was intended for the individual concerned. Given its contents, we wanted to make this clear, which is why we marked it private and confidential.” (FatFace declined to attribute the statement to a named spokesperson.)
TechCrunch obtained a near-identical email sent to its staff from a former employee who asked not to be named. The email to employees was largely the same as the customer email, but warned that staff may have had their bank account information and their National Insurance numbers — the U.K. equivalent of Social Security — compromised.
FatFace confirmed “a select number of employees, former employees and customers and providing appropriate guidance and support,” but would not say specifically how many customers and employees were affected by the breach.